CVE-2026-50232 Overview
CVE-2026-50232 is a stored cross-site scripting (XSS) vulnerability in Lyrion Music Server version 9.2.0. Attackers inject JavaScript payloads into media file metadata tags such as GENRE, ARTIST, and ALBUM. The payloads execute in the web interface when authenticated users view track information or play affected files. Successful exploitation allows attackers to access management functions, disclose application settings, and perform actions in the context of the victim's session. The flaw is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated attackers can persistently inject scripts into the music server interface through media metadata, leading to settings disclosure and unauthorized access to management functions.
Affected Products
- Lyrion Music Server 9.2.0
- Web interface components that render media metadata tags
- Track information and playback views processing GENRE, ARTIST, and ALBUM fields
Discovery Timeline
- 2026-06-05 - CVE-2026-50232 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-50232
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-controlled input embedded in media file metadata. Lyrion Music Server reads ID3 and similar metadata tags from audio files and renders the values directly into HTML responses. Because the application does not encode or sanitize these strings before output, attacker-supplied script content executes in the browser of any user who views the affected track.
This is a stored XSS condition. The payload persists in the server's media library and triggers each time the metadata is rendered. The attack requires the victim to interact with the malicious track or its information view in the web interface. Once executed, the script runs with the privileges of the authenticated session, enabling the attacker to issue requests against administrative endpoints and read configuration data exposed through the interface.
For full technical context, see the VulnCheck Security Advisory and the Zero Science Vulnerability Report.
Root Cause
The root cause is missing output encoding when rendering metadata fields parsed from media files. The server treats tag values as trusted display strings rather than untrusted input. No HTML entity encoding, attribute escaping, or Content Security Policy enforcement constrains the rendered content.
Attack Vector
An attacker with low-privileged access crafts an audio file whose metadata tags contain HTML or JavaScript. The file is added to the library through any supported ingestion path such as a watched folder, network share, or library import. When another user navigates to the track information page or initiates playback, the embedded script executes in their browser session against the music server origin.
The vulnerability mechanism is described in prose because no verified proof-of-concept code is published in the referenced advisories. Refer to the Zero Science advisory for payload structure details.
Detection Methods for CVE-2026-50232
Indicators of Compromise
- Media files in the library whose GENRE, ARTIST, or ALBUM tags contain <script>, onerror=, onload=, or javascript: substrings
- Unexpected outbound HTTP requests from browsers immediately after viewing track information pages
- New or modified administrator settings recorded shortly after a user accessed a media track page
Detection Strategies
- Scan the media library for files whose ID3 or container metadata contains HTML tags or JavaScript event handlers using tools such as exiftool or mid3v2
- Review web server access logs for requests to administrative endpoints originating from sessions that previously loaded track information views
- Inspect browser developer tools or web proxy captures for script execution sourced from metadata fields when rendering library content
Monitoring Recommendations
- Alert on additions of media files containing angle brackets or quotes in standard metadata fields
- Monitor authenticated session activity for sequences that view a track then immediately call settings or configuration endpoints
- Correlate library ingestion events with subsequent administrative API usage from the same user agent
How to Mitigate CVE-2026-50232
Immediate Actions Required
- Restrict who can add media files to the Lyrion Music Server library to trusted users only
- Remove or quarantine any media files containing HTML or JavaScript content in metadata tags
- Limit web interface access to trusted networks until a vendor fix is applied
Patch Information
No fixed version is listed in the referenced advisories at publication time. Monitor the VulnCheck advisory and the Zero Science advisory listing for updates from the Lyrion Music Server maintainers and apply the patched release once available.
Workarounds
- Sanitize metadata tags on ingestion by stripping HTML characters from GENRE, ARTIST, ALBUM, and related fields before they reach the server
- Place the web interface behind a reverse proxy that enforces a strict Content Security Policy disallowing inline scripts
- Require authentication for all interface routes and reduce the number of accounts with management privileges
# Example: strip HTML characters from common ID3 tags using exiftool before import
exiftool -overwrite_original \
-Genre="$(exiftool -s3 -Genre file.mp3 | sed 's/[<>"'\''&]//g')" \
-Artist="$(exiftool -s3 -Artist file.mp3 | sed 's/[<>"'\''&]//g')" \
-Album="$(exiftool -s3 -Album file.mp3 | sed 's/[<>"'\''&]//g')" \
file.mp3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
